666 matches found
CVE-2020-10783
CVE-2020-10783 affects Red Hat CloudForms Management Engine (CFME) 4.7/5.0.x; a role-based privilege escalation allowed an attacker with a specific group (EVM-Operator) to perform actions reserved for higher-privileged roles (EVM-Super-administrator), including exporting/importing administrator f...
CVE-2020-10778
CVE-2020-10778 affects Red Hat CloudForms (CFME) 4.7 and 5, where read-only widgets can be edited by removing the disabled attribute due to missing server-side validation, bypassing business logic. The issue is addressed in Red Hat Security Advisory RHSA-2020:3574 for CloudForms 4.7.16 (and relat...
CVE-2020-10778
In Red Hat CloudForms 4.7 and 5, the read only widgets can be edited by inspecting the forms and dropping the disabled attribute from the fields since there is no server-side validation. This business logic flaw violate the expected behavior...
CVE-2020-10777
CVE-2020-10777 is a cross-site scripting vulnerability in Red Hat CloudForms (Report Menu title) affecting CloudForms 4.7 and 5. The issue arises from improper sanitization of HTML/JavaScript in the report menu title, enabling a stored XSS attack against an application administrator. Public sourc...
User Impersonation
cfme: CloudForms is vulnerable to User Impersonation in the API for OIDC and SAML...
CloudForms: Missing functional level access control & IDOR lead to compromise
A flaw was found in Red Hat CloudForms where sensitive data would have been possibly leaked for other existing roles. An attacker with low privilege could make use of EVM-Admin API if certain criteria is met since there was no privilege check on feature...
CloudForms: Missing access control leads to escalation of admin group privileges
A role-based privileges escalation flaw was found in Red Hat CloudForms where export or import of administrator files was possible. An attacker with EVM-Operator group can perform actions restricted only to system administrator. Refer CVE-2020-25716 for remaining RBAC group fixes...
CloudForms: User Impersonation in the API for OIDC and SAML
A vulnerability was found in Red Hat CloudForms which allows a malicious attacker to impersonate any user or create a non-existent user with any entitlement in the appliance and perform an API request...
Critical: Red Hat Security Advisory: CloudForms 5.0.7 bug fix and enhancement update
An update is now available for CloudForms Management Engine 5.11. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE...
CloudForms: CSV Injection in Orchestration Templates
A flaw was found in Orchestration Template of Red Hat CloudForms where a low privilege user could enter crafted CSV formulae. Successful exploitation will allow an attacker to execute arbitrary code with the privilege of currently logged in user of the system causing serious damage to the victim’...
CloudForms: Server-Side Request Forgery (SSRF) in Ansible Tower Provider
A Server-Side Request Forgery flaw was found in Red Hat CloudForms where malicious requests can be sent from the vulnerable server. An attacker with the privileges to add Ansible Tower provider could inject URLs with port details or with internal IPs to observe internal network...
CloudForms: Out-of-band OS Command Injection through conversion host
An out-of-band OS command injection vulnerability was found in Red Hat CloudForms. An authenticated malicious attacker could execute arbitrary commands on the server by sending a specially crafted request. The highest threat from this vulnerability is to data confidentiality and integrity as well...
CloudForms: Business logic bypass through widgets
A business logic flaw was found in Red Hat CloudForms where the read-only values of the Widgets could be altered. An attacker with low privileges could bypass server-side validation by dropping the disabled attribute from the fields...
CloudForms: Cross Site Scripting in report menu title / HTML Code Injection
A flaw was found in the Report Menu of Red Hat CloudForms where the title field was not properly sanitized for HTML and JavaScript inputs. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. Please note that Content Security Policy can...
RHEL 8 : CloudForms 5.0.7 update (Critical) (RHSA-2020:3358)
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3358 advisory. Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual...
Red Hat CloudForms Code Issue Vulnerability
Red Hat CloudForms is a hybrid infrastructure management platform from Red Hat, Inc. The platform provides deployment, management, and other capabilities across virtual machines, clouds, containers, and physical infrastructure. A code issue vulnerability exists in Red Hat CloudForms. The...
Red Hat CloudForms Cross-Site Scripting Vulnerability (CNVD-2020-44409)
Red Hat CloudForms is a hybrid infrastructure management platform from Red Hat, Inc. The platform provides deployment, management, and other capabilities across virtual machines, clouds, containers, and physical infrastructure. A security vulnerability exists in Report Menu in Red Hat CloudForms,...
Red Hat CloudForms Elevation of Privilege Vulnerability
Red Hat CloudForms is a hybrid infrastructure management platform from Red Hat, Inc. The platform provides deployment, management, and other capabilities across virtual machines, clouds, containers, and physical infrastructure. A security vulnerability exists in Red Hat CloudForms that stems from...
Red Hat CloudForms Path Traversal Vulnerability
Red Hat CloudForms is a hybrid infrastructure management platform from Red Hat, Inc. The platform provides deployment, management, and other capabilities across virtual machines, clouds, containers, and physical infrastructure. A path traversal vulnerability exists in Red Hat CloudForms, which...
Red Hat CloudForms Access Control Error Vulnerability
Red Hat CloudForms is a hybrid infrastructure management platform from Red Hat, Inc. The platform provides deployment, management, and other capabilities across virtual machines, clouds, containers, and physical infrastructure. An access control error vulnerability exists in Red Hat CloudForms. T...